1
Mac OS X Malware Vulnerabilities (November 2008)
Michael Grebenyuk, Albert Sodyl, Byron Thiessen, Sijia Wang
and read by the operating system loader for that object format. Abstract—Mac OS X is commonly known to be a secure Various object formats exist, such as ELF, PE/COFF, and operating system however this is a misconception. Mac OS X MachO. does have security flaws and a proofofconcept virus was created The MachO (Mach Object) object format is used by by the authors to exploit universal binary files. This virus infects other binaries on the system and captures private user data, operating systems based on the Mach kernel, such as emailing it to the attacker. There are several possible defence NeXTSTEP and Mac OS X. The MachO format provides strategies to defend against exploits such the one presented. These both intermediate and final storage of the machine code and include prevention using stricter access control with sandboxing, data. Features for dynamic linking were later added on top of and detection by various methods such as signature detection, the statically linked executable code at runtime, resulting in a change detection, and activity scanning. single file format that is both dynamic and statically linked.
The basic MachO file contains three major regions (Fig. 1). Index Terms—Computer security, computer viruses
I. INTRODUCTION PPLE advertises their Mac OS X operating system as A being very secure through their marketing campaigns. A quote from their website claims that it “delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions. Combined, this intelligent design prevents the swarms of viruses and spyware that plague PCs these days” [1]. As a result of this, and the lack of prevalent malware on the platform, many Macintosh users believe that Mac OS X really is secure. Advertisements such as the popular Mac vs. PC commercials only contribute to the hype, even for non Macintosh users. Therefore, most are oblivious to malware threats on Mac OS X. However, the security of Mac OS is a myth, as it has vulnerabilities just like other operating systems, and should exploits become more common, it would Fig. 1. MachO file format basic structure. The 3 main regions are header, significantly increase the risk of using a Mac OS X [2], [3]. load commands and sections. Each segment command has zero or more section commands associated with it. This project analyzes how effective the security of Mac OS X really is when it comes to malware, such as viruses and At the beginning of every MachO file is a header spyware. By presenting a working exploit in the form of a mach_header that identifies the file as a MachO type using a Mac OS X virus that does alarmingly malicious actions, we magic number 0xfeedface. The header also contains hope to gain the attention of Mac OS X users and provide information such as the CPU type, file type, total size of the insight on how Mac OS X is just as vulnerable as other load commands and various other flags that will affect the operating systems, and present strategies for defending against interpretation of the rest of the file. The mach_header such threats. structure is as follows: struct mach_header { II. BINARY FORMATS uint32_t magic; cpu_type_t cputype; A. MachO Format cpu_subtype_t cpusubtype; Operating systems use various object formats to store uint32_t filetype; uint32_t ncmds; executable code and their libraries and associated metadata. uint32_t sizeofcmds; They act as blueprints for mapping out processes images in uint32_t flags; }; memory. Object files are created by compilers or assemblers 2
Common CPU types supported include PowerPC (0x12) fat_header structure is big endian on both architectures, thus and x86 (0x7). CPU subtypes define specific models of forcing a byte swap on Intel machines. The fat_header processors and are usually 0x0 for PowerPC and 0x3 for Intel structure also contains information such as the archive offset binaries. which allows the loader to take the native binary required for Following the header are a series of load commands that certain types of architecture and run it as if it was a single specify the layout and linkage characteristics of the file. MachO. Because the native code is being run, it executes just struct load_command { as fast as a pure native MachO file. The only drawback to this uint32_t cmd; is the universal binary’s size. As mentioned before, universal uint32_t cmdsize; binaries are simply archives of two MachO files which }; generally are double in size of a single MachO. However, This structure specifies the initial layout of the file in virtual this drawback doesn’t affect the end user significantly since memory, the initial execution state of the main thread of the file storage sizes have grown an astounding amount. program as well as location of symbol tables and names of shared libraries. The most important load commands are III. INFECTING MAC OS X BINARIES LC_SEGMENT, LC_THREAD, and LC_UNIXTHREAD. In particular, LC_THREAD holds the initial state of the registers A. Concatenation Method when a thread starts, this load_command can be used to Apart from utilizing specific MachO binary features, a retrieve or modify the entry point of a thread. simple way of infecting binaries is with the concatenation The third section of the MachO is the Data section which is method. This method works by concatenating two MachO divided into one or more segments each containing zero or executable objects together. When the result is executed, only more sections pointed to by an LC_SEGMENT load command the first binary will “run”. To use this as an exploit, a binary (Fig. 1). Each segment defines a region of virtual memory that needs to be created that knows its own size and contains a the dynamic linker maps into and each section of a segment potentially harmful payload within. We will call this binary contains code or data of a particular type. Such information the ‘parasite’. To infect a host binary, it simply inserts itself in includes symbol tables and string tables. the beginning of the host binary. In other words, it B. Fat Binaries and Universal Binaries concatenates the host binary with itself, the copies itself to the location of the host binary, overwriting it. When the infected Multiple MachO files can be combined into a multi host binary executes, the parasite must seek to the end of itself, architecture binary. A binary file as such is also called a fat copy the rest of the binary, which is the host program, into a binary due to the increased size of the file. Fat binaries temporary file and execute it as a child process. Then it include machine code for multiple instruction set architectures executes whatever payload desired either before, during, or (ISAs) and thus can be run on multiple processor types. The after the host binary is run. [6] fat binary was developed by NeXT for their NeXTSTEP Such a method is trivial to implement in Mac OS X because operating system to allow Motorola 68k and Intel IA32 based most binaries are writable and it is possible for a process to processors to run the operating system without making open a file descriptor to its own binary. Contrast this with separate versions. After Apple purchased NeXT in 1996, fat Linux where /proc/pid/mem must be used. The location of the binaries continued to be supported in Mac OS X, but it wasn’t temporary file does not matter for all but some ObjectiveC until Apple announced their transition to Intel processors in applications that use @executable_path where the temporary 2005 that they really took off. Fat binaries are not actually binary must reside in the same folder as it was originally in. binary files themselves but rather an archive of binaries. The arguments and environment must be passed unmodified Every fat binary starts with a structure fat_header similar to when executing the temporary file in a fork so the application that of a single MachO file which contains two unsigned has the illusion that its first argument (the location of the integers magic and nfat_arch. The magic number is similar to binary), has not changed. that in a MachO file since it also identifies the file as a fat binary archive. However, for a fat binary the magic number B. Resource Fork Method used is 0xcafebabe. The second unsigned integer is used to Mac OS X file system uses HFS+, a replacement for define how many MachO binaries are contained within the Apple’s Hierarchical File System(HFS). Each file on a HFS+ archive. In Mac OS X, fat binaries are used to support file partition has two forks, data and resource. To access a optimized codes for multiple variants of an architecture such file’s resource fork, the command
A limitation with this approach is that it only works with the The keychains in Mac OS X store all passwords and possibly HFS file system. Since much data is received from CDs, other sensitive data such as credit card numbers. The keychain DVDs, the internet, and nonMac OS X servers, this approach is by default encrypted with the user’s login password. The could have difficulties spreading through certain mediums. login password is not captured by the virus, but easily could be Luckily, the built in archive utility for creating /extracting ZIP through key logging or reading unencrypted swap files as the files in Mac OS X supports preserving resource forks, as well root user. The captured information is then emailed to a as tar and other UNIX utilities when ran on a Macintosh specific email address. The virus does this every time an system. Similar constraints to arguments and environment infected application is run. variables exist for this method as with the concatenation B. Mechanism method. The way the virus works is quite simple. The virus binary is C. Hook MachO Entry or Exit Points compiled as a universal binary and inserted in the beginning of In the MachO binary, the entry point for the initial thread the desired binary to be infected manually. This is can be found in a LC_THREAD or LC_UNIXTHREAD load accomplished with a Perl script that compiles the virus code command. The struct for this command contains an additional once to get the resulting binary size, then modifies the source struct (cpu_thread_state state) that stores the initial state of code with the updated file size, and compiles it again. each register. A free tool called HTE Compilation is done with the help of the make utility and the
$ ./test System folder which contains the essential components of OS File 'test' already infected, skipping file infected. X. The root account is disabled by default and can be activated Makefile a.out host.c by an administrator. parasite.c psite A possibly dangerous property in Mac OS X is the fact that host infector.pl payload.c test $ when the system is first initialized, the first account is created as a member of the admin group which has write access to G. Purpose many binaries files on the system. If a user in the admin group Felcator demonstrates that Mac OS X is vulnerable, as any executed our malware by accident it could infect a large other modern operating system with privilege separation, is to number of files because of the default permissions. A way to virus attacks. Not only are these virus attacks proofof solve this problem is to adjust the OS to require the user to concept, but by showing that malicious acts can be malicious create two accounts upon loading the OS for the first time, one we realize that they are a real threat. Gaining all the user’s administrator account and one standard account. All saved passwords and internet history simply by running a application installation and system modification could be done malicious program unknowingly can cause a lot of damage. in the admin account and everything else could be done in the Many users have been trained to click accept when Safari normal account which would not have permission to write to prompts them if they are downloading an application. The any binary files. Using this method would be utilizing the response will only be natural when a malicious program asks “least privilege” design principle. Another important principle to be downloaded. Even though user interaction is required to to consider when making this change is “psychological spread the Felcator virus, it is not out of the ordinary to rely on acceptability” because the reason why two accounts are user interaction as it is how a lot of malware spreads on other required should be clearly explained to the user. platforms, particularly Microsoft Windows XP. B. Sandboxing V. DEFENSE STRATEGIES Another prevention method is a technique called The preceding sections showed how universal binaries in sandboxing. Sandboxing provides a tightlycontrolled set of Mac OS X can be compromised and exploited to malicious resources for programs to run in, such as scratch space on disk ends. We will now investigate how to defend against such an and memory. By setting a default sandbox for unknown attack. There are two basic defense strategies we will consider: programs, we could make sure that unknown programs could prevention, and detection. We will deal with these two write only to a specified area of the disk and could not write categories separately. Please note that the recommendations in outside of that. This way, there is no chance that our exploit this section are based on Mac OS X version 10.4 (Tiger). could write to a binary file even if the current user has write Version 10.5 was released during our work on this project. access to it. Another way sandboxing could be useful is to sandbox known programs so if they do get compromised by A. Prevention Using Stricter Access Control our exploit, the resources the exploit can access will be limited Prevention means not letting the exploit occur in the first to the host program’s sandbox. Sandboxing is based on the place and this can be accomplished by utilizing the “least “least privilege” principle of designing secure systems. It also privilege” principle of designing secure systems. Mac OS X is utilizes the principle of “defense in depth” because it is an based on the UNIX operating system and has the same access extra layer of access control on top of the user privilege access control model. This model is a discretionary access control control. model which uses access control lists where every file on the system has read, write, and execute privileges assigned to it for VI. DETECTION METHODS various users and groups. If the prevention methods fail and a binary file does get Our exploit has the option of using the pppd vulnerability to infected with our exploit, then it should be detected and gain root access but if the target is not vulnerable, it tries to removed. The tricky part of this is detection because once it is infect binaries using whatever level of access the account in detected then it should be fairly easy to remove. Our exploit which it is running has. If the account that it is running in has could be detected using signature detection, change detection, write access to many binary files then the malware can infect activity scanning or by making macho files more secure by many applications. redesigning the header. All virus detection methods attempt to In Mac OS X there are three types of accounts: standard, ensure the integrity of software because they are designed to administrator, and root. A standard account can only affect the detect code that should not be there. They also indirectly files in his/her home folder. An administrator account has attempt to ensure confidentiality and availability by detecting more access than a standard account and can not only affect malicious software that might harm the confidentiality or the home folder, but also the Applications folder where availability of data. For example, if a virus is designed to applications are installed and the Library folder which contains perform a denial of service attack then a virus scanner would application and OS related support files. The root account can be ensuring data availability by detecting and removing the only be accessed from an admin account and has ultimate virus. Similarly, if a virus was designed to steal credit card powers in the system. This includes the ability to affect the numbers and email them to some email address then a virus 6 scanner that detected it would be ensuring the confidentiality programs and reports any suspicious behavior. It may, for of the data. example, detect any calls to format the disk that were not made by the OS. It may also detect a program tying to modify or A. Signature Detection change binary files because this type of behavior is unusual. One possible way to detect if a binary has been infected Programs other than installers usually only modify data files with our exploit is called signature detection. In this case, the and not executables. An activity based scanner would be signature will be a string of bits found in the malicious portion effective against our exploit because it is an application that of binary that was changed. All of the binaries on the system tries to modify binary files and once it infects a binary file, it could then be scanned looking for the signature. The signature uses the host program to infect other binary files. For example, string would have to be of sufficient size as to minimize false if our exploit infected a word processor, then it would use it to positive matches. Two advantages of this method are that it is infect other binaries. An activity based scanner would monitor simple to implement and it provides specific identification of the activity of the word processor and alert the user if the word viruses. A disadvantage is that information about the exploit processor tried to write to an executable file. A similar type of must be known in order to create a signature to scan for. scanner to an activity based scanner is a heuristic scanner. Another disadvantage is that if a signature was created for the Instead of monitoring activity it looks for suspicious sections exploit, the exploit’s creators could make subtle changes in the of code that are generally found in viral programs. For exploit’s code such as redundant or useless code that wouldn’t example, a heuristic scanner might scan for code in a program change its functionality but would change its signature. In this that looks for other program files. A big advantage of activity way, the malware creator could compile many versions of the based and heuristic scanners is that they can scan for unknown exploit all with different signatures and a signature scanner viruses. The scanner does not need to know the exact nature of would have to have a different signature for each different a virus because it will detect it as long as it does some kind of version. For example, Trudy could have the source code for a general suspicious thing that the scanner is programmed to working virus but a signature has already been created to catch. A big disadvantage is that it is difficult to define bad detect the virus. She could then go back to the source code, behavior that a virus does but a legitimate program never does. create a variable called ‘x’, and then every fourth line insert Nevertheless, activity and heuristic scanners still remain useful the line of code “x = 1”. If the variable ‘x’ was not used in the tools. previous version of the virus then this change would not affect the functionality of the virus but it would affect the compiled D. Improve the MachO Format machine code for the virus and would very likely change its A third way to detect our exploit would be to modify the signature. She could then go back and change the additional design of the MachO file header to include the program lines to “x = 2” and compile a third unique version. This way length. This would be specified as an offset value. Since our she could create any number of unique viruses that all have the exploit concatenates itself to the end of existing binaries, it same functionality but different signatures. modifies the length of the binary. If the length had been specified in the header, then the OS could generate a warning B. Change Detection if the system executed code at an address that the OS thought Another way to detect our exploit is to use change detection. was the exit point of the program but the program did not exit. Change detection can be accomplished by computing a hash of Of course the malware could simply write over information in every binary file on the system. Then, at regular intervals, the the header file and change the exit point so the header would hashes are recomputed and compared to their original values. have to be signed and checked whenever the program is run. The main advantage of this method is that there are virtually This detection method would be effective but difficult to no false negatives so if a file has been infected it will definitely implement since it involves changing the format of MachO be detected. This method also has several disadvantages. First, files. the original hash file must be computed before the infection occurs. If the binary is infected before a hash of the uninfected VII. CONCLUSION file is computed, then change detection will reveal nothing. Apple’s Mac OS X operating system is just as vulnerable to Another disadvantage comes from the fact that binary files on virus attacks as other operating systems. The fact that it has a system do change for legitimate reasons like when they are not been a major target for attackers could change as Mac OS updated. For this reason, a change detection scan would likely X is becoming more popular. And the fact that there are not as come up with numerous false positives which would place a many viruses for Mac OS X as there are for other platforms heavy burden on the user to sort through them. It is also does not reduce the severity of the threats that could be conceivable that a binary file could be infected shortly after it realized. It is therefore advised for Mac users to watch what was updated for legitimate reasons and the infection would not they’re downloading and running. Having antivirus software be detected. with change detection and heuristic activity scanning would C. Activity and Heuristic Scanner help reduce the risk, as well as running sandboxed and signed An activity based virus scanner monitors the activity of applications. Hopefully we will see improvements to MachO in the future that will make it harder to infect applications. 7
REFERENCES [1] Apple (2007, October) Mac OS X Security [Online]. Available: http://www.apple.com.sg/macosx/features/security [2] J. Jones. (2007, June 18) Days of Risk in 2006: Client OS Products [Online]. Available: http://blogs.csoonline.com/node/365 [3] J. Jones. (2007, June 13) Days of risk in 2006: Linux, Mac OS X, Solaris and Windows [Online]. Available: http://blogs.csoonline.com/days_of_risk_in_2006 [4] M. Muthanna. (2006, March 26) How OS X Executes Applications [Online]. Available: http://0xfe.blogspot.com/2006/03/howosx executesapplications.html [5] R. G Biv. (2006, October) Infecting MachO Files [Online]. Available: http://vx.netlux.org/lib/vrg01.html [6] N. Archibald. (2004, November 18) Infecting the MachO Object Format [Online]. Available: http://felinemenace.org/~nemo/slides/mach o_infection.ppt [7] Jon. (2006, June 9) MachO and Universal Binaries [Online]. Available: http://hohle.net/scrap_post.php?post=197 [8] iDefense Labs. (2007, May 24) Public Advisory [Online]. Available: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537 [9] Wikipedia (2007, October 25) Universal Binary [Online]. Available: http://en.wikipedia.org/wiki/Universal_binary, [10] Wikipedia (2007, October 24) Fat Binary [Online]. Available: http://en.wikipedia.org/wiki/Fat_binary#MachO_and_Mac_OS_X [11] J. Hohle (2006, June 9) Macho and Universal Binaries [Online]. Available: http://hohle.net/scrap_post.php?post=197 [12] N. Dhanjani. (2004, June 27) New (local) Mac OS X vulnerability: Passwords in Swap files [Online]. Available: http://www.oreillynet.com/onlamp/blog/2004/06/new_local_mac_os_x_ vulnerabili.html [13] Wikipedia (2007, October 14) MachO [Online]. Available: http://en.wikipedia.org/wiki/MachO [14] A. Adams of Symantec. (2006, November 13) DeepSight Threat Management System: Research Report [Online]. Available: http://downloads.securityfocus.com/downloads/MacOSX_DeepSight_R eport.pdf